SUNY Compliance Roles

SUNY Compliance Roles

Various State and Federal laws, as well as SUNY Policies, require that SUNY campuses officially designate an employee (whether by name or title) to fill a particular compliance function or responsibility. The following is a list of roles that SUNY campuses are required to have officially designated, as well as details of the role, responsibilities, and scope for the employee designated to fill the role.

It is important to note that this list is not representative of all the compliance roles and responsibilities that must occur throughout a campus. Instead, this list is ONLY comprised of the compliance roles that require a formal designation per a law or policy that states a designation must be formally given.

Note that there are still many other compliance roles and responsibilities that exist throughout our campuses that are not included in the list below of those roles that must be formally designated. The compliance mandates and responsibilities that SUNY is subject to as a result of federal and state law, SUNY Policy, and other sources is much more extensive than the list of roles outlined on this page. You can learn more about many of these other compliance subject areas in the Compliance Topics section of this site. The Higher Education Compliance Alliancemaintains a comprehensive Federal Compliance Matrix of the federal laws and regulations governing colleges and universities.

Note that campuses can also elect to make certain compliance roles a formal designation at their institution, even if they are not required to do so by law or policy. This is a best practice for compliance because it clearly designates who has responsibility over a specific compliance function or task. As an example, higher education institutions are not required by federal law to have a 'Clery Act' coordinator, but many campuses have formally designated a person on their campus as the 'Clery Coordinator' to ensure clarity over who is responsible for overseeing compliance with the Clery Act at their campus.

Federally Mandated Compliance Roles

Title IX Coordinator - Federal Law

“All educational institutions receiving Federal financial assistance must designate at least one employee to coordinate their efforts to comply with and carry out their responsibilities under Title IX of the Education Amendments of 1972, which prohibits sex discrimination in education programs and activities. These designated employees are generally referred to as Title IX coordinators. A school’s Title IX coordinator or coordinators are expected to play a critical role in helping a school ensure that every person affected by its operations—including faculty, staff, and students—are aware of their legal rights under Title IX, and that the school and all of its employees, through its policies, procedures, and practices, complies with its legal obligations under Title IX. A school should ensure that the Title IX coordinator is given the visibility, training, authority, and support necessary to fulfill these responsibilities. The coordinator should not have other job responsibilities that may create a conflict of interest. Designating a full-time Title IX coordinator will minimize the risk of a conflict of interest.”

ADA Coordinator - Federal Law

Designating an ADA Coordinator If a public entity has 50 or more employees, it is required to designate at least one responsible employee to coordinate ADA compliance. A government entity may elect to have more than one ADA Coordinator. Although the law does not refer to this person as an “ADA Coordinator,” this term is commonly used in state and local governments across the country and will be used in this chapter.

The ADA Coordinator is responsible for coordinating the efforts of the government entity to comply with Title II and investigating any complaints that the entity has violated Title II. The name, office address, and telephone number of the ADA Coordinator must be provided to interested persons.”

Campus Security Authorities - required by the Clery Act - Federal Law

Campus Security Authority (CSA) are defined by the Clery Handbook to include campus police/security and affiliated offices, those designated by the institution, and faculty and staff with significant responsibility for students and campus activities.

"Campus Security Authorities include police or security personnel, others with responsibility for security, and personnel with “significant responsibility for student and campus activities, including, but not limited to, student housing, student discipline and campus judicial proceedings.” “Official” is defined rather broadly as “any person who has the authority and the duty to take action or respond to particular issues on behalf of the institution.” The individuals included above must be given the responsibilities of Campus Security Authorities. Institutions may also designate other personnel as Campus Security Authorities, by listing those individuals in the Annual Security Report as “an individual or organization to which students and employees should report criminal offenses.” Pastoral and professional counselors who are so practicing when they receive a report of a crime are exempt from any requirements of Campus Security Authorities, even if they otherwise meet the requirements.

"Institutions must request statistics from all Campus Security Authorities each year to be included in the institution’s Annual Security Report. Campus Security Authorities must forward to the individual or office responsible for Clery Act incident collection (usually Campus Police, Security, or Student Affairs) any allegations of Clery Act crimes that they believe were made in good faith.

"At a minimum for Clery Act purposes, the Campus Security Authority should disclose the details of the crime and the location where the crime occurred. The Campus Security Authority may disclose the name and contact information for the victim or individual reporting the crime, or may agree to keep that information confidential at the request of the victim or individual reporting the crime. All Campus Security Authorities should be trained in the obligations of Campus Security Authorities. In overseas programs, institutions may wish to designate all personnel working frequently with students as Campus Security Authorities, even if they do not meet the technical requirements. In that way, students abroad can feel they can speak to any institutional official overseas to report a crime. This is not a requirement, but is simply a good practice."

Privacy Personnel. A covered entity must designate a privacy official responsible for developing and implementing its privacy policies and procedures, and a contact person or contact office responsible for receiving complaints and providing individuals with information on the covered entity’s privacy practices. The HIPAA Privacy regulations (45 CFR Part 164.530(a)(1) require the designation of a privacy official who is responsible for the development and implementation of the entity's privacy policies and procedures. 45 CFR Part 164.530(a)(1)(ii) further requires that a covered entity must "designate a contact person or office who is responsible for receiving complaints under this section and who is able to provide further information about matters covered by the notice required by §164.520. Each SUNY campus should designate an individual to serve as the Privacy Official for that campus.

The Campus Privacy Official role is to:

Oversee the HIPAA compliance activities of the campus, including the development, implementation and monitoring of campus HIPAA policies and procedures and workforce training;

Serve as the campus resource for issues relating to HIPAA privacy;

Work in concert with the Campus Security Official;

Serve as the campus contact for issues/complaints relating to HIPAA privacy and be listed as the contact person on the campus' Notice of Privacy Practices; and

Oversee campus responses to inquiries from patients and other outside parties. When the campus suspects that a HIPAA privacy violation has occurred, the University Privacy Officer should be notified of: (a) the suspected breach; (b) the investigation process that will be utilized; (c) the findings of the investigation; and (d) the remediation steps that will be taken to prevent future incidents.

In a SUMMARY OF THE HIPAA SECURITY RULE document published by the United States Department of Health and Human Services (HHS), covered entities must designate a Security Personnel. The summary states that “A covered entity must designate a security official who is responsible for developing and implementing its security policies and procedures.

The details of this designation are further detailed in an HHS/ DOJ Guidance document on the HIPAA Security Rule which discusses the security standards and administrative standards of the rule. The document states the following with respect to STANDARD § 164.308(a)(2) and the assigned security responsibility requirement:

The second standard in the Administrative Safeguards section is Assigned Security Responsibility. There are no separate implementation specifications for this standard. The standard requires that covered entities:

“Identify the security official who is responsible for the development and implementation of the policies and procedures required by this subpart [the Security Rule] for the entity.” The purpose of this standard is to identify who will be operationally responsible for assuring that the covered entity complies with the Security Rule. Covered entities should be aware of the following when assigning security responsibility.

This requirement is comparable to the Privacy Rule standard at §164.530(a)(1), Personnel Designations, which requires all covered entities to designate a Privacy Official. The Security Official and Privacy Official can be the same person, but are not required to be. While one individual must be designated as having overall responsibility, other individuals in the covered entity may be assigned specific security responsibilities (e.g., facility security or network security). When making this decision covered entities should consider some basic questions. Sample questions for covered entities to consider:

Would it serve the organization’s needs to designate the same individual as both the Privacy and Security Official (for example, in a small provider office)?

Has the organization agreed upon, and clearly identified and documented, the responsibilities of the Security Official?

How are the roles and responsibilities of the Security Official crafted to reflect the size, complexity and technical capabilities of the organization?

New York State Compliance Roles

Affirmative Action Officer - State law

“New York State's policy is that equal opportunity will be assured in the State's personnel system and that affirmative action will be provided in the administration of that system in accordance with the requirements of the State's Human Rights Law, the mandates of Title VII of the Federal Civil Rights Act of 1964 as amended, and Executive Order No. 6 (1983). The Department of Civil Service is responsible for enforcing the Executive Order and for developing comprehensive statewide affirmative action policies, goals, objectives, and implementation strategies.

Executive Order No. 6 requires that each agency designate a full-time affirmative action officer and develop a written affirmative action program that includes specific goals and timetables for the prompt achievement of full and equal employment opportunities for minorities, women, disabled persons, and Vietnam era veterans at all occupational levels of State government.

Chief Diversity Officer (CDO) – SUNY Policy

The Chief Diversity Officer role is established by SUNY Policy the Diversity, Equity, and Inclusion Policy, Document No. 7809. The Policy requires that each campus, both State-operated and Community College campuses, as well as System Administration, appoint a Chief Diversity Officer ("CDO").

Chief Diversity Officer Role:

Campus CDO: According to the Diversity, Equity, and Inclusion Policy, the campus Chief Diversity Officer must “be a senior member of the campus administration, reporting directly to the president or provost” and will “work collaboratively with offices across campus including but not limited to, the offices of academic affairs, human resources, enrollment management, and admissions-to elevate inclusiveness and implement best practices related to diversity, equity and inclusion in such areas as the recruitment and retention of students and senior administrators, faculty and staff hires” and also “serve as part of a system-wide network of CDOs to support SUNY's overall diversity goals.”

System Administration CDO: According to the Diversity, Equity, and Inclusion Policy, at System Administration, the CDO must “be a senior member of System Administration” and will “work collaboratively with offices across System Administration… to elevate inclusiveness and implement best practices related to diversity, equity and inclusion” and will “support the system-wide network of campus CDOs in collaboration with the Provost and Executive Vice-Chancellor to realize System Administration's goal of becoming the most inclusive system of higher education in the country.”

Efforts to identify the specific dutie of the campus Enterprise Risk Management role are currently ongoing as the policy is developed into procedures for the campuses to follow.

Internal Controls Officer - State Law and SUNY Policy

Each campus location must designate an Internal Control Officer. This Officer must coordinate with their campus each year to ensure compliance with the New York State Internal Controls Act, and to report to System Administrations System-wide Internal Controls Officer.

SUNY Policies and Procedures:SUNY Internal Control Program Policy, Document No. 7500 Pursuant to the New York State Government Accountability, Audit and Internal Control Act (Act) this policy outlines the State University of New York’s (University) formalized program of internal control, which is designed to ensure that the University has a system of accountability for and oversight of its operations and to assist the University in achieving its goals and objectives.

SUNY’s Internal Control Program Guidelines, Doc. No. 7501“Designate an internal control officer at the University and campus levels to implement and review the University’s/campuses’ Internal Control Programs. The University and each of its affected campuses are required to designate an internal control officer. Based upon the internal control officer’s other responsibilities, it may be necessary to delegate certain operational aspects of the campus’ internal control program to designated staff (such as an internal control coordinator). The prescribed qualifications and responsibilities as they relate to the internal control efforts are outlined in Appendix C - Internal Control Responsibilities.

While no provision of New York law says that we must have an Ethics Officer, the role is recognized by the oversight authority, the Joint Commission on Public Ethics, and Ethics Officers have many roles to ensure compliance with the laws that are within JCOPE’s jurisdiction.

“The Joint Commission on Public Ethics (“JCOPE”) administers and enforces the ethics laws that apply to appointees, officers and employees of New York State agencies, public authorities, public benefit corporations, and commissions ("Agency" or "Agencies"). The ethics laws apply to all of these covered persons, even those appointees who serve on an unpaid or per diem basis. Each Agency must designate an Ethics Officer to serve as the primary liaison to JCOPE.

OVERVIEW OF ETHICS OFFICER DUTIES AND RESPONSIBILITIES

JCOPE’s regulatory oversight creates legal obligations for both agencies and their officers and employees. For this reason, each agency, including SUNY state-operated campuses, must designate an Ethics Officer to provide guidance to these individuals on compliance with the ethics laws.

Their role is to:

Serves as a liaison between the Agency and JCOPE for statutory and other administrative obligations.

Provides guidance to Agency officers and employees in the interpretation and implementation of ethics laws.

Promotes a culture of integrity by fostering awareness of ethics laws and obligations and serves as a resource on ethics questions.

“Each campus should designate a local records management officer and notify the SUNY RMO of such designation. It is the responsibility of the campus RMO to report annually, by September 1 of each year, to the SUNY RMO on disposition actions taken by such campus during the previous academic year and to maintain the campus inventory of records. Requests for approval of retention schedules with shorter retention periods should be submitted by a campus through their local RMO to the SUNY RMO for transmittal to State Archives.”

Pursuant to the SUNY Child Protection Policy, No. 6505, each campus must ‘Designate a Responsible University Official for each Covered Activity’ under the policy. The Responsible University Official is the employee of the University or University-affiliated organization, who has been designated by the Campus.

Information Security Officer - SUNY Policy

SUNY’s Information Security Procedure, Information Security Guidelines, Part 1: Campus Programs & Preserving Confidentiality, requires that each campus establish an Information Security Officer, whose role is defined as “an assigned person (Officer) or group (Office) or coordinated function (Oversight) that understands the Campus’s information security risk, the Program, and the meaning and intent of the University standards for information security and who presents professionally and legally sound and timely advice to executive management regarding appropriate action, ensuring the Program is exposed to outside, professional perspective, especially that of the University’s central information security oversight function.”

Privacy Compliance Officer - New York State law

The New York State Personal Privacy Protection Law (Public Officers Law §§91-99), with corresponding regulation 8 NYCRR Part 315, requires that SUNY System Administration and the SUNY State-Operated campuses each designate a Privacy Compliance Officer in order to comply fully with the provisions of article 6-A of the Public Officers Law, the Personal Privacy Protection Law. The regulation states as follows: "A privacy compliance officer shall be designated by the chief administrative officer of each State- operated campus. The name, title and business address of the campus privacy compliance officer may be obtained from the office of the chief administrative officer of each campus." SUNY's Compliance with the Personal Privacy Protection Law Policy (Document Number 6603) codifies 8 NYCRR Part 315 by requiring that the University "designate a University employee who shall be responsible for ensuring that the agency complies with all of the provisions of the PPPL (the Privacy Compliance Officer)."

The regulation also states that the "Privacy compliance officers are responsible for ensuringappropriate responses to requests for access to and for amendment or correction of recordsin accordance with the Personal Privacy Protection Law. The designation of privacy compliance officers shall not be construed to prohibit officials who have in the past beenauthorized to make records available or to amend or correct such records from continuing todo so. Privacy compliance offices shall ensure that personnel: (1) assist a data subject inidentifying and requesting personal information, if necessary; (2) describe the contents ofsystems of records orally or in writing in order to enable a data subject to learn if a system of records includes a record or personal information identifiable to the data subject; (3) take one of the following actions upon locating the record sought: (i) make the record available for inspection, in a printed form without codes or symbols, unless an accompanying document explaining such codes or symbols is also provided; (ii) permit the data subject to copy the record; or (iii) deny access to the record in whole or in part and explain in writing the reasons therefor; (4) upon request for copies of records, make a copy available upon payment of 25 cents per page; (5) upon request, certify that a copy of a record is a true copy; or (6) upon request, certify that: (i) the university or campus does not have possession of the record sought; (ii) the university or campus cannot locate the record sought after having made a diligent search; or (iii) the information sought cannot be retrieved by use of the description thereof, or by use of the name or other identifier of the data subject without extraordinary search methods being employed by the university or campus."

Domestic Violence Liaison - SUNY Policy to comply with the New York State law on Domestic Violence

New York State Executive Order # 19, which was adopted in 2007, required that all State Agencies, including SUNY, adopt a Domestic Violence in the Workplace Policy. Each state agency was required to formulate and issue a Domestic Violence in the Workplace Policy by August 1, 2008, all while using the Office for the Prevention of Domestic Violence (OPDV) Model Domestic Violence and the Workplace Policy as a guide. Each SUNY Campus is required to review their policy ANNUALLY, and to submit any changes to the the SUNY System Affirmative Action Officer.

The SUNY Model Domestic Violence Policy that was written to serve as a model for campus local policies, required that each campus location designate a Domestic Violence liaison who would serve as a point person at the campus for resporting to System Administration on Domestic Violence issues. The Model Domestic Violence and the Workplace Policy template, available on the SUNY Compliance website Domestic Violence page, states the following with regard to the Domestic Violence campus role:

I. Workplace Safety Plans

By means of a domestic violence workplace safety response plan, [CAMPUS] shall make employees aware of their options and available resources and help employees safeguard each other and report domestic violence to designated officials. a. The designated liaison between [CAMPUS] and SUNY System Administration is [NAME OR OFFICE TITLE OF DESIGNATED AGENT]. This liaison will ensure campus wide implementation of this policy, and serve as the primary liaison with System Administration regarding this policy. The System Administration designated liaison will communicate with the Office for the Prevention of Domestic Violence (OPDV) on behalf of campuses as it relates to reporting.

Project Sunlight Liaison - New York Law

Project Sunlight, a component of the Public Integrity Reform Act of 2011 (Ch. 399, Part A, §4, L. 2011), is a New York State online database that provides the public with an opportunity to see what entities and individuals are interacting with government decision-makers at the various State entities. Effective January 1, 2013, State entities (including SUNY & SUNY State-operated campuses) are required to report to the OGS database 'appearances' by individuals/firms who 'appear' before State decision-makers or persons who advise decision-makers (decision makers and decision advisors are considered 'covered individuals' under the law). The Project Sunlight database, hosted by the NYS Office of General Services, aggregates the inputted data and makes it available to the public for viewing. A New York State Project Sunlight Policy was developed to clearly define what 'appearances' must be reported under the law.

Through Project Sunlight and the SUNY plan to outline compliance with the law, each campus is required to ‘Designate one/several individuals responsible for entering data in the OGS Project Sunlight database.’

The information contained on the SUNY Compliance website is for general campus guidance only and is not intended, nor can be relied upon, as legal advice or the imposition on SUNY campuses of specific policies or requirements. The site is intended to be an informational-only clearinghouse for some of the laws, rules, and regulations that may impact the State University of New York’s campuses. Additionally, given the rapid, changing nature of laws, rules and regulations, there may be delays or omissions contained on this site which therefore cannot be relied upon as complete. For complete compliance information, consult your campus compliance officials. For legal advice, consult your lawyer.